The SEC settled an enforcement action against a firm registered as both a broker-dealer and an investment adviser (the “Registrant”) for the Registrant’s failure to adopt written policies and procedures reasonably designed to safeguard personal customer information under Rule 30(a) of Regulation S-P (the “Safeguards Rule”). The Safeguards Rule requires registered broker-dealers and advisers, and other entities subject to SEC regulation, to maintain written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information, and that are reasonably designed to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records or information.
Unauthorized Access. In its order settling the enforcement proceeding, the SEC found that in or around November 2008 an unauthorized person accessed and traded, or attempted to trade, in customer accounts of the Registrant by using a computer virus to gain access to the login credentials of a registered representative (an “RR”) of the Registrant. The credentials allowed access to the Registrant’s intranet (the “Intranet”), which provides access to a proprietary trading platform operated by the Registrant’s clearing broker (the “Trading Platform”). Once logged on to the Intranet, the unauthorized person gained access to non‑public information for 368 customer accounts and used the Trading Platform to place, or attempt to place, eighteen unauthorized trades across eight customer accounts totaling over $523,000 in securities of one publicly traded company. The clearing broker detected the unauthorized purchases within ten minutes and was able to block most of them; however, some unauthorized purchases were executed resulting in an aggregate loss of $8,000 that was absorbed by the Registrant.
Registrant’s Practices. The SEC noted that, at all relevant times, the Registrant recommended – but did not require – that its RRs maintain antivirus software on their personal computers, which the RRs used to access the Intranet and Trading Platform to trade for customer accounts. The RRs are independent contractors and are responsible for providing their own computer hardware and software. (The Registrant has approximately 1,600 RRs operating from approximately 1,069 branch offices.) In the two months prior to the intrusions, the Registrant’s information technology help desk (the “Help Desk”) received several calls from the RR whose computer would suffer the unauthorized access in November 2008, indicating that the RR’s computer system had been compromised by a software virus. During one such call in September 2008 the Help Desk noted that the RRs computer lacked anti-virus software and recommended that the RR install anti-virus software. During a subsequent call which took place one day prior to the first known intrusion, the Help Desk noted that the RRs computer was infected with a “major virus” and recommended that the RR see his local computer technology person. The Help Desk did not follow up with the RR in either case to determine whether the RR had taken appropriate action. The SEC also found that the Registrant’s internal auditors did not audit branch office computers to determine whether antivirus software was installed, nor did the Registrant have procedures in place to follow up on potential computer security issues uncovered during branch audits or when RRs contacted the Help Desk for computer-related assistance.
Violations of the Safeguards Rule. The SEC’s determination that the Registrant did not comply with the Safeguards Rule was based on findings that the Registrant: (1) failed to implement adequate procedures requiring RRs to maintain appropriate security measures on their personal computers where customer information was stored; (2) failed to maintain procedures requiring that RRs’ personal computers be monitored and/or audited to ensure that security measures were correctly implemented and maintained; and (3) failed to maintain procedures requiring proper follow up on potential security issues reported by RRs. In making these findings, the SEC noted that although the Registrant’s written policies for customer records and information prior to the November 2008 intrusions addressed in certain respects the administrative, technical, and physical safeguards for the protection of its customer records and information, by (a) failing to require basic safeguards such as anti-virus software on all of the RRs’ computers conducting business using the Intranet and (b) failing to follow up, or have written procedures addressing the follow up, on security issues either uncovered in branch audits or reported to the Help Desk, the Registrant failed to adhere to the standards of reasonable design imposed by the Safeguards Rule.Sanctions. Under the terms of the settlement, which reflected the SEC’s consideration of the Registrant’s remedial efforts and cooperation, the Registrant is subject to a cease and desist order and censure, and is required to pay a penalty of $100,000.